Service Authentication

Authenticating service accounts

Service accounts are used in conjunction with public-private key pairs, secrets, permissions, and authentication tokens to provide access for DC/OS services to DC/OS. Service accounts control the communications and DC/OS API actions that the services are permitted to make.

Service Authentication Components

JSON Web Tokens (JWT)

Service authentication involves two JSON Web Tokens (JWT) for service authentication.

Service Login token To log in to DC/OS, a service login token is required. It is a JWT signed with the service’s private key, and serves as a one-time password. A service login token should be generated for one-time usage (for example, for a single service login procedure) and should include an expiration.

Authentication token After a service connects to DC/OS with the service login token, the IAM service creates an authentication token which the service can then use to authenticate its outgoing requests to DC/OS. An authentication token can be used for long-term access.

Mesos Authentication Principal

DC/OS services supply a principal when they register with the Mesos masters. In strict security mode, the service account name must match the name specified in the principal. For more information about principals, see the Mesos documentation.